Environment

Situation

Resolution

The following steps are similar for all versions of Windows NT-based operating systems.

Launch the Control PanelSelect SystemSelect Advanced system settingsSelect the Advanced tabClick the Settings button under Startup and RecoveryIn the System Failure section, deselect the automatic restart optionUnder the Write debugging information section, select the desired type of memory dump from the pick list - Small, Kernel, Complete, etc. If in doubt, select "Complete memory dump."

Note: If the "Complete" option does not appear in the drop-down list:

1. Open the registry editor regedit.exe).2. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl3. Double-click the value "CrashDumpEnabled" and set/change the data to "1".

Upload the zipped memory dump to ftp.novell.com/incoming and send the Novell support engineer an email that you have uploaded the file.

How to force a memory dump from a hung workstation:

In certain situations, as in the case of a non-responsive (hung) workstation, or when the workstation does not crash or hang, but an application crashes, or if an unexpected delay is encountered, it is possible to force a memory dump of a workstation. In the case where the machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump, just to be sure there isn't still forward motion still coming to a stop.

Method 1:

Use Microsoft's LiveKD utility.

1. Download Microsoft's LiveKD (http://technet.microsoft.com/en-us/sysinternals/bb897415) and extract to a temporary directory.2. Spawn an elevated Command Prompt ("Run as Administrator") and change to the LiveKD directory.3. Prepare, but do not execute, the command line "LiveKD.exe -o c:\MyDumpName.dmp". Substitute your preferred dump path and file name as needed.4. Perform the operation which will encounter the problem.5. Wait long enough to ensure that the machine is in the midst of the problem, then quickly execute the pending LiveKD command line. For example, if machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump. Or, if you're experiencing an unexpected 15 second delay, perhaps wait until you're at least 5 seconds into the delay before executing LiveKD.6. LiveKD will always write a "Complete" memory dump, and so may take some time.7. Once complete, ZIP THE DUMP FILE before moving it off the machine, to ensure that the dump file is ultimately transferred intact.

Method 2:

Use Microsoft's "CrashOnCtrlScroll" configuration and method, as described in the Microsoft article:

c. Click on the Advanced tab. d. Click the Settings button in the "Startup and Recovery" section. e. In the "Write Debugging Information" section, select Complete Memory Dump. f. Deselect the "Automatically Reboot" option2. Create the "CrashOnCtrlScroll" DWORD value of 0x00000001 under either[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters] or[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]depending on whether the machine uses a PS/2 or USB keyboard, respectively.3. Perform the operation which will encounter the problem.4. Wait long enough to ensure that the machine is in the midst of the problem, then force Windows to crash and write a kernel-mode memory dump by holding down the right CTRL key and pressing the SCROLL LOCK key two times.

For example, if machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump. Or, if you're experiencing an unexpected 15 second delay, perhaps wait until you're at least 5 seconds into the delay before forcing the dump.5. Once complete, ZIP THE DUMP FILE before moving it off the machine, to ensure that the dump

file is transferred intact.

See also Microsoft KB Article 244139.http://support.microsoft.com/default.aspx?scid=kb;en-us;244139

Additional Information

If the "Complete memory dump" option is not available:

If the "Complete memory dump" option is removed from the choice list in the later Windows versions, it is because Windows knows that a Complete memory dump isn't possible. e.g. The amount of physical RAM is more than 2GB, or the page file size isn't set to the size of physical memory or greater.

The "How to generate a kernel or a complete memory dump file in Windows Server 2008" KB article (http://support.microsoft.com/kb/969028) presents a good deal of information on what's new and different regarding obtaining a crash dump on Vista/2008, and also covers the "how to manually force a dump" topic too. Although the document describes the possibility of enabling the "Complete" memory dump option even though the machine has over 4GB of memory, due to the issue described of dumps over 4GB potentially being corrupt and the general non-necessity of actually making and uploading a dump of that size, Novell recommends using the "truncatememory or removememory switches in the BCDEdit.exe" approach described in the document.

i.e. From an elevated command prompt (i.e. "Run as administrator"), execute this command:

BCDEDIT.EXE /set {current} truncatememory 0x80000000

to have Windows ignore all the memory above 2GB after the next reboot. Now (after reboot) the "Complete" memory dump option should become available, and the Complete dump generated won't be larger than 2GB.

To return the machine to its original memory configuration, execute this command:

BCDEDIT.EXE /deletevalue {current} truncatememory

Windows 7 Specific

When attempting to collect a memory dump in connection with a Windows 7 kernel-mode crash, the MEMORY.DMP file may be unexpectedly missing. This may be due to the following Windows 7-specific default behavior:

If there are less than 25GB of disk space free and the machine is not joined to a domain, by default Windows will delete a generated MEMORY.DMP file rather than keeping it. (After Windows reboots and reports the crash to Microsoft via the online crash analysis / Windows Error Reporting.)

If there are more than 25GB, or the machine is joined to a domain (read "corporate environment"), or you're actually on a Windows Server 2008 R2 (not Windows 7 Ultimate / Professional / Home), the MEMORY.DMP will be retained by default, as it always has in previous versions of Windows.

The Windows 7 default policy can be explicitly overridden by setting the following registry value:

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.